Geeklog 1.4.0sr2, 1.3.11sr5, 1.3.9sr5

Unfortunately, yet another Geeklog security issue has surfaced: Konstantin Dyakoff found an old bug in the session handling that would allow anyone to log in as any user. This bug exists in all Geeklog versions released since 2002.

To address this serious issue, we are releasing the following security updates and strongly suggest that you upgrade your site as soon as possible.

The 1.4.0sr2 update also strips HTML tags from the location entry in a user's profile (a problem that only existed in 1.4.0). The 1.3.9sr5 update also includes the fixes for the earlier security issues. While Geeklog 1.3.9 isn't officially supported any more, we're making an exception here because of the severity of the issues and since many people still seem to be using that version. Nevertheless, we'd suggest that you upgrade to 1.4.0 at your earliest convenience.

Well, I guess there goes our reputation of being one of the more secure web applications. After two severe issues in two weeks it's hard to hold up that claim much longer. Apologies on behalf of the Geeklog Team for any inconveniences we may have caused you.

As a consequence, we will be concentrating on doing code reviews and fixing bugs (security-related and otherwise) for Geeklog 1.4.1 and will put implementing new features on the back burner. We've obviously got some homework to do in order to earn back your trust.

Please feel free to use the comments or the Feedback forum to tell us what you think about all this.

Geeklog has released a security upgrade that affects all versions, so I will be upgrading your website over the next few days. If you experience any unusual activity or outages on your website, please contact me.
Thanks, Jason [read more]

Uploading the fixed lib-sessions.php is probably easier. It's the only file that you need to update to fix this particular problem. And it doesn't depend on any other changes, so it would help even if you're on, say, an otherwise unpatched 1.3.11.

Yes, replacing lib-sessions.php makes this particular problem (that anyone could log into your site) go away. Depending on the Geeklog version you're on, there may be other problems to fix as well, though (see above).

Has anyone noticed any recent hacking attempts, perhaps to take advantage of this security hole? The reason I ask is I've seen a few strange new user submissions to my sites, from a couple of email accounts @mail.ru .